<!DOCTYPE html>
<html lang="zh-CN">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 4.2.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">
  <link rel="stylesheet" href="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"gwashitgton.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":true,"show_result":true,"style":"mac"},"back2top":{"enable":true,"sidebar":false,"scrollpercent":true},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":true,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":"enable","trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"search.xml"};
  </script>

  <meta name="description" content="在实际的安全和运维工作中，应该在网络和系统被攻击之前，做好充分的准备，深挖战壕广积粮，才能在网络被攻击时能够从容的应对。">
<meta property="og:type" content="article">
<meta property="og:title" content="Linux应急响应">
<meta property="og:url" content="https://gwashitgton.gitee.io/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/">
<meta property="og:site_name" content="Enterprise">
<meta property="og:description" content="在实际的安全和运维工作中，应该在网络和系统被攻击之前，做好充分的准备，深挖战壕广积粮，才能在网络被攻击时能够从容的应对。">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527172126.png">
<meta property="og:image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527172432.png">
<meta property="og:image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527215103.png">
<meta property="article:published_time" content="2020-05-27T14:34:05.000Z">
<meta property="article:modified_time" content="2020-05-27T14:40:32.010Z">
<meta property="article:author" content="Odin">
<meta property="article:tag" content="Linux">
<meta property="article:tag" content="应急响应">
<meta name="twitter:card" content="summary">
<meta name="twitter:image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527172126.png">

<link rel="canonical" href="https://gwashitgton.gitee.io/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : false,
    isPost : true,
    lang   : 'zh-CN'
  };
</script>

  <title>Linux应急响应 | Enterprise</title>
  


  <script>
    var _hmt = _hmt || [];
    (function() {
      var hm = document.createElement("script");
      hm.src = "https://hm.baidu.com/hm.js?a3850f6ef1a87fae200c86d8a5c3a0d7";
      var s = document.getElementsByTagName("script")[0];
      s.parentNode.insertBefore(hm, s);
    })();
  </script>




  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

<link rel="alternate" href="/atom.xml" title="Enterprise" type="application/atom+xml">
</head>
<script type="text/javascript" src="/js/love.js"></script>
<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="切换导航栏">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">Enterprise</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">纸上得来终觉浅，绝知此事要躬行</p>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>首页</a>

  </li>
        <li class="menu-item menu-item-tags">

    <a href="/tags/" rel="section"><i class="fa fa-tags fa-fw"></i>标签</a>

  </li>
        <li class="menu-item menu-item-categories">

    <a href="/categories/" rel="section"><i class="fa fa-th fa-fw"></i>分类</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>归档</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>搜索
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="搜索..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>
  <div class="reading-progress-bar"></div>

  <a href="https://github.com/Grergo" class="github-corner" title="Follow me on GitHub" aria-label="Follow me on GitHub" rel="noopener" target="_blank"><svg width="80" height="80" viewBox="0 0 250 250" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"></path><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"></path><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"></path></svg></a>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content post posts-expand">
            

    
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="zh-CN">
    <link itemprop="mainEntityOfPage" href="https://gwashitgton.gitee.io/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="https://gitee.com/GWashitgton/Picture/raw/master/image/20200422132544.JPG">
      <meta itemprop="name" content="Odin">
      <meta itemprop="description" content="">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Enterprise">
    </span>
      <header class="post-header">
        <h1 class="post-title" itemprop="name headline">
          Linux应急响应
        </h1>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">发表于</span>
              

              <time title="创建时间：2020-05-27 22:34:05 / 修改时间：22:40:32" itemprop="dateCreated datePublished" datetime="2020-05-27T22:34:05+08:00">2020-05-27</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">分类于</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/Linux/" itemprop="url" rel="index"><span itemprop="name">Linux</span></a>
                </span>
            </span>

          
  
  <span class="post-meta-item">
    
      <span class="post-meta-item-icon">
        <i class="far fa-comment"></i>
      </span>
      <span class="post-meta-item-text">Valine：</span>
    
    <a title="valine" href="/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/#valine-comments" itemprop="discussionUrl">
      <span class="post-comments-count valine-comment-count" data-xid="/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/" itemprop="commentCount"></span>
    </a>
  </span>
  
  <br>
            <span class="post-meta-item" title="本文字数">
              <span class="post-meta-item-icon">
                <i class="far fa-file-word"></i>
              </span>
                <span class="post-meta-item-text">本文字数：</span>
              <span>8.7k</span>
            </span>
            <span class="post-meta-item" title="阅读时长">
              <span class="post-meta-item-icon">
                <i class="far fa-clock"></i>
              </span>
                <span class="post-meta-item-text">阅读时长 &asymp;</span>
              <span>8 分钟</span>
            </span>
            <div class="post-description">在实际的安全和运维工作中，应该在网络和系统被攻击之前，做好充分的准备，深挖战壕广积粮，才能在网络被攻击时能够从容的应对。</div>

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
        <a id="more"></a>
<!-- markdownlint-disable MD041 MD002-->

<h2 id="Linux-应急响应"><a href="#Linux-应急响应" class="headerlink" title="Linux 应急响应"></a>Linux 应急响应</h2><p>​    <strong>在实际的安全和运维工作中，应该在网络和系统被攻击之前，做好充分的准备，深挖战壕广积粮，才能在 网络被攻击时能够从容的应对。针对Linux服务器而言，强烈建议严格按照【<a href="https://gwashitgton.gitee.io/2020/04/23/Linux%E7%B3%BB%E7%BB%9F%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA/">Linux基线加固</a>】中的条目对服务器进行加固。</strong></p>
<h3 id="应急响应概述"><a href="#应急响应概述" class="headerlink" title="应急响应概述"></a>应急响应概述</h3><p>​    当你的Linux服务器被攻击了，就需要对服务器进行应急响应。在Linux 系统中，一切皆文件。黑客入侵的手段大部分都是利用系统对文件上传的控制不严格，上传WebShell。黑客要想在系统中启动一个进程，那么必须要有对应的进程启动文件。服务器中了病毒和木马，病毒和木马本身也都是一个文件。</p>
<p>​    应急响应最核心的问题就是找到这些非法上传，或者是非法改动的文件，将这些文件全部删除或者进行替换，并且要将这些文件启动的进程全部杀掉。最后要找到黑客的入侵方式，彻底切断黑客的入侵途经，封堵漏洞。</p>
<h3 id="服务器被攻击的症状"><a href="#服务器被攻击的症状" class="headerlink" title="服务器被攻击的症状"></a>服务器被攻击的症状</h3><p>​    当服务器被攻击了，一般都会或多或少表现出一定的症状，例如：CPU利用率升高，服务器网络流量增加，内存占用率增加，出现不明进程，服务器处理能力变慢，异常重启等等。如果服务器出现了这些症状，那就需要进行一次完整检查了。</p>
<h3 id="应急响应流程"><a href="#应急响应流程" class="headerlink" title="应急响应流程"></a>应急响应流程</h3><p>​    <strong>第一件事情应该是切断网络，但是有些环境不允许网络断开，就只能跳过这一步。</strong></p>
<p><img src="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527172126.png" alt="应急响应流程"></p>
<h4 id="查看历史命令"><a href="#查看历史命令" class="headerlink" title="查看历史命令"></a>查看历史命令</h4><p>​    发现Linux 服务器被攻击，要做应急响应，登录主机后的第一件事，就是查看主机的历史命令：</p>
<p><img src="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527172432.png" alt="image-20200527172430859"></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 检查Root用户的.bash_history 文件</span></span><br><span class="line">cat /root/.bash_history</span><br><span class="line"><span class="meta">#</span><span class="bash"> 检查普通用户的.bash_history 文件</span></span><br><span class="line">cat /home/[user]/.bash_history</span><br></pre></td></tr></table></figure>

<p>​    虽然大部分黑客在入侵后删除历史命令，但是不排除有些黑客忘记删除。如果没有删除历史命令，那么可以通过历史命令知道黑客做了哪些操作，这样后续的工作就非常简单了。</p>
<h4 id="排查用户信息"><a href="#排查用户信息" class="headerlink" title="排查用户信息"></a>排查用户信息</h4><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> Linux 服务器中招之后</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> whoami 查看当前用户</span></span><br><span class="line">➜  ~ whoami </span><br><span class="line">root</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 通过who命令查看当前登录系统的所有用户</span></span><br><span class="line">➜  ~ who</span><br><span class="line">root     pts/0        2020-05-27 17:23 (192.168.5.2)</span><br><span class="line"><span class="meta">#</span><span class="bash"> 有可能发现服务器异常时，黑客还在登录，那么用who命令就可以检查出来。</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> w命令显示已经登录系统的所用用户，以及正在执行的指令</span></span><br><span class="line">➜  ~ w</span><br><span class="line"> 17:53:32 up 30 min,  2 users,  load average: 0.00, 0.01, 0.05</span><br><span class="line">USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT</span><br><span class="line">b        pts/0    192.168.5.2      17:53    4.00s  0.01s  0.00s sleep 1000</span><br><span class="line">root     pts/1    192.168.5.2      17:51    4.00s  0.26s  0.00s w</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 发现有个用户b 正在执行sleep 1000 这个命令，根据这个信息将b用户的该进程杀掉</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> 通过 ps -ef | grep sleep 找到该进程ID，然后使用<span class="built_in">kill</span> -9 id 杀掉该进程</span></span><br><span class="line">➜  ~ ps -ef | grep sleep</span><br><span class="line">b          7654   7633  0 17:53 pts/0    00:00:00 sleep 1000</span><br><span class="line">root       7676   7502  0 17:54 pts/1    00:00:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox sleep</span><br><span class="line"></span><br><span class="line">➜  ~ kill -9 7654</span><br><span class="line">➜  ~ ps -ef | grep sleep </span><br><span class="line">root       7724   7502  0 17:56 pts/1    00:00:00 grep --color=auto --exclude-dir=.bzr --exclude-dir=CVS --exclude-dir=.git --exclude-dir=.hg --exclude-dir=.svn --exclude-dir=.idea --exclude-dir=.tox sleep</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 发现该进程被杀掉了</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> 接下来锁定该用户，并将其强制下线</span></span><br><span class="line">➜  ~ w</span><br><span class="line"> 17:58:11 up 34 min,  1 user,  load average: 0.00, 0.01, 0.05</span><br><span class="line">USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT</span><br><span class="line">root     pts/1    192.168.5.2      17:51    3.00s  0.97s  0.00s w</span><br><span class="line"><span class="meta">#</span><span class="bash"> b用户已离线</span></span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> last命令查看最近登录成功的用户及信息</span></span><br><span class="line">➜  ~ last</span><br><span class="line">b        pts/0        192.168.5.2      Wed May 27 17:53 - 17:58  (00:04)    </span><br><span class="line">root     pts/0        192.168.5.2      Wed May 27 17:52 - 17:53  (00:00)    </span><br><span class="line">root     pts/1        192.168.5.2      Wed May 27 17:51   still logged in   </span><br><span class="line">root     pts/0        192.168.5.2      Wed May 27 17:23 - 17:52  (00:28)    </span><br><span class="line">reboot   system boot  3.10.0-957.el7.x Wed May 27 17:23 - 21:20  (03:57)    </span><br><span class="line">root     pts/0        192.168.5.2      Mon May 18 22:25 - 00:21  (01:56)   </span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 显示logged <span class="keyword">in</span>表示用户还在登录</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> pts表示从SSH远程登录</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> tty表示从控制台登录，就是在服务器旁边登录</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> lastb命令查看最近登录失败的用户及信息</span></span><br><span class="line">[root@srv01 ~]# lastb</span><br><span class="line">root tty1 Tue Jan 7 01:16 - 01:16 (00:00)</span><br><span class="line">root tty1 Tue Jan 7 01:16 - 01:16 (00:00)</span><br><span class="line">a ssh:notty 192.168.225.1 Mon Jan 6 22:07 - 22:07 (00:00)</span><br><span class="line">a ssh:notty 192.168.225.1 Mon Jan 6 22:07 - 22:07 (00:00)</span><br><span class="line">a ssh:notty 192.168.225.1 Mon Jan 6 22:07 - 22:07 (00:00)</span><br><span class="line">a ssh:notty 192.168.225.1 Mon Jan 6 22:07 - 22:07 (00:00)</span><br><span class="line">a ssh:notty 192.168.225.1 Mon Jan 6 22:07 - 22:07 (00:00)</span><br><span class="line">root tty1 Thu May 9 19:06 - 19:06 (00:00)</span><br><span class="line"><span class="meta">#</span><span class="bash"> ssh表示从SSH远程登录</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> tty表示从控制台登录</span></span><br></pre></td></tr></table></figure>

<p>​    如果你在排查服务器的时候，黑客没有在线，可以使用last命令排查黑客什么时间登录的有的黑客登录时，会将/var/log/wtmp文件删除或者清空，这样我们就无法使用last命令获得有用的信息了。在黑客入侵之前，必须使用chattr +a对/var/log/wtmp文件进行锁定，避免被黑客删除。</p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> lastlog命令显示所有用户最近一次登录信息</span></span><br><span class="line">➜  ~ lastlog </span><br><span class="line">Username         Port     From             Latest</span><br><span class="line">root             pts/0    192.168.5.2      Wed May 27 17:52:45 +0800 2020</span><br><span class="line">bin                                        **Never logged in**</span><br><span class="line">daemon                                     **Never logged in**</span><br><span class="line">adm                                        **Never logged in**</span><br><span class="line">lp                                         **Never logged in**</span><br><span class="line">sync                                       **Never logged in**</span><br><span class="line">shutdown                                   **Never logged in**</span><br><span class="line">halt                                       **Never logged in**</span><br><span class="line">mail                                       **Never logged in**</span><br><span class="line">operator                                   **Never logged in**</span><br><span class="line">games                                      **Never logged in**</span><br><span class="line">ftp                                        **Never logged in**</span><br><span class="line">nobody                                     **Never logged in**</span><br><span class="line">systemd-network                            **Never logged in**</span><br><span class="line">dbus                                       **Never logged in**</span><br><span class="line">polkitd                                    **Never logged in**</span><br><span class="line">sshd                                       **Never logged in**</span><br><span class="line">postfix                                    **Never logged in**</span><br><span class="line">abc              pts/0    gateway          Tue Feb  4 20:35:34 +0800 2020</span><br><span class="line">a                                          **Never logged in**</span><br><span class="line">b                pts/0    192.168.5.2      Wed May 27 17:53:22 +0800 2020</span><br><span class="line"><span class="meta">#</span><span class="bash"> 在黑客入侵之前，必须使用chattr +a对/var/<span class="built_in">log</span>/lastlog文件进行锁定，避免被黑客删除或者清空。</span></span><br></pre></td></tr></table></figure>

<p>排查passwd 文件，重点排查如下内容：</p>
<ul>
<li>哪些用户不能登录，shell却为/bin/bash —&gt; 修改建议：将shell修改为/sbin/nologin</li>
<li>哪些普通用户的UID=0 —&gt; 修改建议：禁用该用户或删除该用户</li>
<li>是否多出了不明用户。</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 查看可登录用户：</span></span><br><span class="line">cat /etc/passwd | grep /bin/bash</span><br><span class="line"><span class="meta">#</span><span class="bash"> 查看UID=0的用户</span></span><br><span class="line">awk -F: '$3==0&#123;print $1&#125;' /etc/passwd</span><br><span class="line"><span class="meta">#</span><span class="bash"> 查看sudo权限的用户</span></span><br><span class="line">more /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL)"</span><br></pre></td></tr></table></figure>

<h3 id="排查端口进程"><a href="#排查端口进程" class="headerlink" title="排查端口进程"></a>排查端口进程</h3><p>​    使用<code>top</code>命令查看进程</p>
<p><img src="https://gitee.com/GWashitgton/Picture/raw/master/image/20200527215103.png" alt="image-20200527215100957"></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 使用ls -l命令查看某个进程的可执行文件的完整路径</span></span><br><span class="line">例如：查看 PID=842的SSH进程的可执行文件</span><br><span class="line"><span class="meta">#</span><span class="bash"> ls -l /proc/842/exe</span></span><br><span class="line">lrwxrwxrwx 1 root root 0 Jan 7 19:06 /proc/842/exe -&gt; /usr/sbin/sshd</span><br><span class="line"><span class="meta">#</span><span class="bash"> 如果找不到任何可疑文件，文件可能被删除，这个可疑的进程已经保存到内存中，是个内存进程。这时需要查找PID 然后<span class="built_in">kill</span>掉。</span></span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash">lsof 命令查看进程打开的文件</span></span><br><span class="line">➜  ~ lsof -p 7502  </span><br><span class="line">COMMAND  PID USER   FD   TYPE DEVICE  SIZE/OFF     NODE NAME</span><br><span class="line">zsh     7502 root  cwd    DIR  253,0      4096 33574977 /root</span><br><span class="line">zsh     7502 root  rtd    DIR  253,0       224       64 /</span><br><span class="line">zsh     7502 root  txt    REG  253,0    740496 50878051 /usr/bin/zsh</span><br><span class="line">zsh     7502 root  mem    REG  253,0     11488    43685 /usr/lib64/zsh/5.0.2/zsh/regex.sozsh     7502 root  mem    REG  253,0     70280   279590 /usr/lib64/zsh/5.0.2/zsh/computil.so</span><br><span class="line"><span class="meta">#</span><span class="bash"> 或者通过服务名查看该进程打开的文件</span></span><br><span class="line">lsof -c sshd</span><br><span class="line">COMMAND  PID USER   FD   TYPE             DEVICE SIZE/OFF     NODE NAME</span><br><span class="line">sshd    6590 root  cwd    DIR              253,0      224       64 /</span><br><span class="line">sshd    6590 root  rtd    DIR              253,0      224       64 /</span><br><span class="line">sshd    6590 root  txt    REG              253,0   853040   551331 /usr/sbin/sshd</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 通过端口号查看进程</span></span><br><span class="line">➜  ~ lsof -i :22</span><br><span class="line">COMMAND  PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME</span><br><span class="line">sshd    6590 root    3u  IPv4  35947      0t0  TCP *:ssh (LISTEN)</span><br><span class="line">sshd    7500 root    3u  IPv4  37659      0t0  TCP localhost.localdomain:ssh-&gt;192.168.5.2:cspmulti (ESTABLISHED)</span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 查看进程的启动时间点</span></span><br><span class="line">➜  ~ ps -p 6590 -o lstart</span><br><span class="line">                 STARTED</span><br><span class="line">Wed May 27 17:23:44 2020</span><br><span class="line"><span class="meta">#</span><span class="bash"> 可以通过时间点来判断该进程是否是可疑进程</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 使用netstat -pantu | grep [PID] 通过进程id来查看端口的连接情况</span></span><br><span class="line">➜  ~ netstat -pantu | grep 6590</span><br><span class="line">tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      6590/sshd</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 使用fuser -n [tcp/udp] [端口号] 来查看端口对应的进程</span></span><br><span class="line">➜  ~ fuser -n tcp 22</span><br><span class="line">22/tcp:               6590  7500</span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 使用ps命令查看进程</span></span><br><span class="line">➜  ~ ps -ef</span><br><span class="line">UID         PID   PPID  C STIME TTY          TIME CMD</span><br><span class="line">root          1      0  0 17:23 ?        00:00:01 /usr/lib/systemd/systemd --switched-rooroot          2      0  0 17:23 ?        00:00:00 [kthreadd]</span><br><span class="line">root          3      2  0 17:23 ?        00:00:00 [ksoftirqd/0]</span><br><span class="line">root          5      2  0 17:23 ?        00:00:00 [kworker/0:0H]</span><br><span class="line">root          7      2  0 17:23 ?        00:00:00 [migration/0]</span><br><span class="line">root          8      2  0 17:23 ?        00:00:00 [rcu_bh]</span><br><span class="line">--------------------------------------以下省略-----------------------------------------------------------</span><br><span class="line"><span class="meta">#</span><span class="bash"> 使用[]括起来的进程一般是正常的系统进程，黑客的进程通常是.sshd，aa.sh，.sdofafdjja等。这些文件通常是隐藏文件，都是以【.】开头，要查找到这些文件，需要在ls命令后面加-a参数。</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 按照CPU使用率从高到低排序</span></span><br><span class="line">➜  ~ ps -ef --sort -pcpu</span><br><span class="line">UID         PID   PPID  C STIME TTY          TIME CMD</span><br><span class="line">root          1      0  0 17:23 ?        00:00:01 /usr/lib/systemd/systemd --switched-rooroot          2      0  0 17:23 ?        00:00:00 [kthreadd]</span><br><span class="line">root          3      2  0 17:23 ?        00:00:00 [ksoftirqd/0]</span><br><span class="line">root          5      2  0 17:23 ?        00:00:00 [kworker/0:0H]</span><br><span class="line">root          7      2  0 17:23 ?        00:00:00 [migration/0]</span><br><span class="line">root          8      2  0 17:23 ?        00:00:00 [rcu_bh]</span><br><span class="line">--------------------------------------以下省略-----------------------------------------------------------</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 按照内存使用率从高到低排序</span></span><br><span class="line">➜  ~ ps -ef --sort -pmem</span><br><span class="line">UID         PID   PPID  C STIME TTY          TIME CMD</span><br><span class="line">root       7502   7500  0 17:51 pts/1    00:00:06 -zsh</span><br><span class="line">root       6046      1  0 17:23 ?        00:00:15 /usr/bin/vmtoolsd</span><br><span class="line">root       6045      1  0 17:23 ?        00:00:00 /usr/bin/VGAuthService -s</span><br><span class="line">root       7500   6590  0 17:51 ?        00:00:00 sshd: root@pts/1</span><br><span class="line">--------------------------------------以下省略-----------------------------------------------------------</span><br></pre></td></tr></table></figure>

<h3 id="排查文件修改"><a href="#排查文件修改" class="headerlink" title="排查文件修改"></a>排查文件修改</h3><p>​    应急响应的核心就是找到黑客植入/修改的文件。</p>
<p>​    可以按照以下三种方式查找修改的文件：</p>
<ul>
<li>按照名称</li>
<li>依据文件大小</li>
<li>按照时间查找</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 根据名称查找文件</span></span><br><span class="line">➜  ~ find / -name a.Test</span><br><span class="line">/root/a.Test</span><br><span class="line"><span class="meta">#</span><span class="bash"> 如果文件名记不全，可使用通配符*来补全</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> 如果不区分大小写，可以将-name 替换为-iname</span></span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 依据文件大小查找：</span></span><br><span class="line">➜  ~ find / -size +1000M</span><br><span class="line">/proc/kcore</span><br><span class="line"><span class="meta">#</span><span class="bash"> +1000M表示大于1000M的文件，-10M代表小于10M的文件</span></span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash"> 依据时间查找</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> -atime 文件的访问时间</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> -mtime 文件内容修改时间</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> -ctime 文件状态修改时间（文件权限，所有者/组，文件大小等，当然文件内容发生改变，ctime也会随着改变）</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> 要注意：系统进程/脚本访问文件，atime/mtime/ctime也会跟着修改，不一定是人为的修改才会被记录</span></span><br><span class="line">➜  ~ stat a.Test  </span><br><span class="line">  File: ‘a.Test’</span><br><span class="line">  Size: 0               Blocks: 0          IO Block: 4096   regular empty file</span><br><span class="line">Device: fd00h/64768d    Inode: 33590721    Links: 1</span><br><span class="line">Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)</span><br><span class="line">Access: 2020-05-27 22:12:20.681192600 +0800</span><br><span class="line">Modify: 2020-05-27 22:12:20.681192600 +0800</span><br><span class="line">Change: 2020-05-27 22:12:20.681192600 +0800</span><br><span class="line"> Birth: -</span><br><span class="line"><span class="meta">#</span><span class="bash"> 修改文件内容：</span></span><br><span class="line">➜  ~ echo "1230"&gt; a.Test </span><br><span class="line">➜  ~ stat a.Test  </span><br><span class="line">  File: ‘a.Test’</span><br><span class="line">  Size: 5               Blocks: 8          IO Block: 4096   regular file</span><br><span class="line">Device: fd00h/64768d    Inode: 33590721    Links: 1</span><br><span class="line">Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)</span><br><span class="line">Access: 2020-05-27 22:12:20.681192600 +0800</span><br><span class="line">Modify: 2020-05-27 22:17:58.334176870 +0800</span><br><span class="line">Change: 2020-05-27 22:17:58.334176870 +0800</span><br><span class="line"> Birth: -</span><br><span class="line"><span class="meta">#</span><span class="bash"> mtime和ctime发生了变化</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 查找最近一天以内修改的文件：</span></span><br><span class="line">➜  ~ find / -mtime -1 -ls  | more </span><br><span class="line">  1026    0 drwxr-xr-x  19 root     root         3100 May 27 17:23 /dev</span><br><span class="line"> 34061    0 crw-------   1 root     root      10,  57 May 27 17:23 /dev/vsock</span><br><span class="line"> 33151    0 crw-rw----   1 root     tty        7, 134 May 27 17:23 /dev/vcsa6</span><br><span class="line"> 33148    0 crw-rw----   1 root     tty        7,   6 May 27 17:23 /dev/vcs6</span><br><span class="line"> 33147    0 crw-rw----   1 root     tty        7, 133 May 27 17:23 /dev/vcsa5</span><br><span class="line"><span class="meta">#</span><span class="bash"> 查找50天前修改的文件：</span></span><br><span class="line">➜  ~ find ./ -mtime +50 -ls</span><br><span class="line">33880333    4 -rw-r--r--   1 root     root           18 Dec 29  2013 ./.bash_logout</span><br><span class="line">33880334    4 -rw-r--r--   1 root     root          176 Dec 29  2013 ./.bash_profile</span><br><span class="line">33880335    4 -rw-r--r--   1 root     root          176 Dec 29  2013 ./.bashrc</span><br><span class="line">33880336    4 -rw-r--r--   1 root     root          100 Dec 29  2013 ./.cshrc</span><br><span class="line">33880337    4 -rw-r--r--   1 root     root          129 Dec 29  2013 ./.tcshrc</span><br><span class="line">33574978    4 -rw-------   1 root     root         1232 Jan 20 11:20 ./anaconda-ks.cfg</span><br><span class="line"> 35289    0 drwx------   3 root     root           18 Jan 20 11:55 ./.config</span><br></pre></td></tr></table></figure>

<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#</span><span class="bash">根据属主和属组查找：</span></span><br><span class="line">-user 根据属主查找</span><br><span class="line">-group 根据属组查找</span><br><span class="line">-nouser 查找没有属主的文件</span><br><span class="line">-nogroup 查找没有属组的文件</span><br><span class="line"></span><br><span class="line"><span class="meta">#</span><span class="bash"> 查看属主是root的文件</span></span><br><span class="line">➜  ~ find ./ -user root -type f</span><br><span class="line">./.bash_logout</span><br><span class="line">./.bash_profile</span><br><span class="line">./.bashrc</span><br><span class="line">./.cshrc</span><br><span class="line">./.tcshrc</span><br><span class="line"><span class="meta">#</span><span class="bash"> -<span class="built_in">type</span> f表示查找文件，-<span class="built_in">type</span> d表示查找目录</span></span><br><span class="line"><span class="meta">#</span><span class="bash"> 注意：系统中没有属主或者没有属组的文件或目录，也容易造成安全隐患，建议删除。</span></span><br></pre></td></tr></table></figure>

<h3 id="清理后门"><a href="#清理后门" class="headerlink" title="清理后门"></a>清理后门</h3><p>​    在找到并处理植入/修改的文件之后，还需要清理后门，因为黑客为了下次访问方便，必然会在服务器上留有 后门。常见留后门的方法有如下几种：</p>
<ul>
<li>将公钥写入到服务器的authorized_keys文件中</li>
<li>创建UID=0的普通用户</li>
</ul>
<p>解决方法：</p>
<ul>
<li>清除authorized_keys文件中黑客上传的key</li>
<li><code>cat /etc/passwd</code>将UID为0的普通用户注释掉</li>
</ul>
<h3 id="查找攻击源"><a href="#查找攻击源" class="headerlink" title="查找攻击源"></a>查找攻击源</h3><figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">检查系统日志信息：</span><br><span class="line"><span class="meta">#</span><span class="bash"> tail -100 /var/<span class="built_in">log</span>/messages</span></span><br><span class="line">检查登录的账号和IP地址：</span><br><span class="line"><span class="meta">#</span><span class="bash"> tail -100 /var/<span class="built_in">log</span>/secure</span></span><br><span class="line">检查系统是否有异常，例如发包量过大等：</span><br><span class="line"><span class="meta">#</span><span class="bash"> dmesg</span></span><br><span class="line">查找到攻击源，可以使用防火墙将此攻击源屏蔽。</span><br></pre></td></tr></table></figure>

<p>###　原因分析</p>
<p>​    <strong>服务器被入侵原因通常有几个：系统漏洞、中间件漏洞（程序漏洞）、代码漏洞、安全设置不正确、网络层面 没有限制等。 如果是系统漏洞和中间件漏洞，需要使用没有发现漏洞的系统和中间件进行升级。 如果是程序/代码漏洞，需要修改程序代码进行修改，或者部署waf防火墙。 如果是安全设置不正确，需要进一步检查安全配置。 如果是网络层面没有限制，需要在防火墙和IPS上进行检查。 通过植入文件启动进程的入侵方式，一般户看到类似这种进程或者文件：aa.sh，.sdofafdjja，是通过系 统漏洞或者中间件漏洞入侵的；如果没有发现被植入的文件，但是系统就是有异常，这种一般是通过代码漏洞 来入侵的。</strong></p>

    </div>
    <div>
  
    <div>
    
        <div style="text-align:center;color: #ccc;font-size:14px;">-------------本文结束<i class="fa fa-paw"></i>感谢您的阅读-------------</div>
    
</div>
  
</div>

    
    
    
      
       
        
<div class="my_post_copyright">
  <script src="//cdn.bootcss.com/clipboard.js/1.5.10/clipboard.min.js"></script>
  
  <!-- JS库 sweetalert 可修改路径 -->
  <script src="https://cdn.bootcss.com/jquery/2.0.0/jquery.min.js"></script>
  <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  <p><span>本文标题:</span><a href="/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/">Linux应急响应</a></p>
  <p><span>文章作者:</span><a href="/" title="访问 Odin 的个人博客">Odin</a></p>
  <p><span>发布时间:</span>2020年05月27日 - 22:05</p>
  <p><span>最后更新:</span>2020年05月27日 - 22:05</p>
  <p><span>原始链接:</span><a href="/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/" title="Linux应急响应">https://gwashitgton.gitee.io/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/</a>
    <span class="copy-path"  title="点击复制文章链接"><i class="fa fa-clipboard" data-clipboard-text="https://gwashitgton.gitee.io/2020/05/27/Linux%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/"  aria-label="复制成功！"></i></span>
  </p>
  <p><span>许可协议:</span><i class="fa fa-creative-commons"></i> <a rel="license" href="https://creativecommons.org/licenses/by-nc-nd/4.0/" target="_blank" title="Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)">署名-非商业性使用-禁止演绎 4.0 国际</a> 转载请保留原文链接及作者。</p>  
</div>
<script> 
    var clipboard = new Clipboard('.fa-clipboard');
    $(".fa-clipboard").click(function(){
      clipboard.on('success', function(){
        swal({   
          title: "",   
          text: '复制成功',
          icon: "success", 
          showConfirmButton: true
          });
    });
    });  
</script>

      
        <div class="reward-container">
  <div>如果对您有帮助，请赞助一下吧</div>
  <button onclick="var qr = document.getElementById('qr'); qr.style.display = (qr.style.display === 'none') ? 'block' : 'none';">
    打赏
  </button>
  <div id="qr" style="display: none;">
      
      <div style="display: inline-block;">
        <img src="/images/wechatpay.png" alt="Odin 微信支付">
        <p>微信支付</p>
      </div>
      
      <div style="display: inline-block;">
        <img src="/images/alipay.png" alt="Odin 支付宝">
        <p>支付宝</p>
      </div>

  </div>
</div>

        

  <div class="followme">
    <p>欢迎关注我的其它发布渠道</p>

    <div class="social-list">

        <div class="social-item">
          <a target="_blank" class="social-link" href="/atom.xml">
            <span class="icon">
              <i class="fa fa-rss"></i>
            </span>

            <span class="label">RSS</span>
          </a>
        </div>
    </div>
  </div>


      <footer class="post-footer">
          <div class="post-tags">
              <a href="/tags/Linux/" rel="tag"><i class="fa fa-tag"></i> Linux</a>
              <a href="/tags/%E5%BA%94%E6%80%A5%E5%93%8D%E5%BA%94/" rel="tag"><i class="fa fa-tag"></i> 应急响应</a>
          </div>

        


        
    <div class="post-nav">
      <div class="post-nav-item">
    <a href="/2020/05/08/Windows%E5%AE%89%E5%85%A8%E5%8A%A0%E5%9B%BA/" rel="prev" title="Windows安全加固">
      <i class="fa fa-chevron-left"></i> Windows安全加固
    </a></div>
      <div class="post-nav-item">
    <a href="/2020/06/22/IRF%E9%85%8D%E7%BD%AE%E6%8C%87%E5%8D%97/" rel="next" title="IRF配置指南">
      IRF配置指南 <i class="fa fa-chevron-right"></i>
    </a></div>
    </div>
      </footer>
    
  </article>
  
  
  



          </div>
          
    <div class="comments" id="valine-comments"></div>

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          文章目录
        </li>
        <li class="sidebar-nav-overview">
          站点概览
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
          <div class="post-toc motion-element"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#Linux-应急响应"><span class="nav-number">1.</span> <span class="nav-text">Linux 应急响应</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#应急响应概述"><span class="nav-number">1.1.</span> <span class="nav-text">应急响应概述</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#服务器被攻击的症状"><span class="nav-number">1.2.</span> <span class="nav-text">服务器被攻击的症状</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#应急响应流程"><span class="nav-number">1.3.</span> <span class="nav-text">应急响应流程</span></a><ol class="nav-child"><li class="nav-item nav-level-4"><a class="nav-link" href="#查看历史命令"><span class="nav-number">1.3.1.</span> <span class="nav-text">查看历史命令</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#排查用户信息"><span class="nav-number">1.3.2.</span> <span class="nav-text">排查用户信息</span></a></li></ol></li><li class="nav-item nav-level-3"><a class="nav-link" href="#排查端口进程"><span class="nav-number">1.4.</span> <span class="nav-text">排查端口进程</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#排查文件修改"><span class="nav-number">1.5.</span> <span class="nav-text">排查文件修改</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#清理后门"><span class="nav-number">1.6.</span> <span class="nav-text">清理后门</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#查找攻击源"><span class="nav-number">1.7.</span> <span class="nav-text">查找攻击源</span></a></li></ol></li></ol></div>
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
    <img class="site-author-image" itemprop="image" alt="Odin"
      src="https://gitee.com/GWashitgton/Picture/raw/master/image/20200422132544.JPG">
  <p class="site-author-name" itemprop="name">Odin</p>
  <div class="site-description" itemprop="description"></div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">20</span>
          <span class="site-state-item-name">日志</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
            <a href="/categories/">
          
        <span class="site-state-item-count">6</span>
        <span class="site-state-item-name">分类</span></a>
      </div>
      <div class="site-state-item site-state-tags">
            <a href="/tags/">
          
        <span class="site-state-item-count">11</span>
        <span class="site-state-item-name">标签</span></a>
      </div>
  </nav>
</div>
  <div class="links-of-author motion-element">
      <span class="links-of-author-item">
        <a href="https://github.com/Grergo" title="GitHub → https:&#x2F;&#x2F;github.com&#x2F;Grergo" rel="noopener" target="_blank"><i class="fab fa-github fa-fw"></i>GitHub</a>
      </span>
      <span class="links-of-author-item">
        <a href="mailto:weikangwang730@gmail.com" title="E-Mail → mailto:weikangwang730@gmail.com" rel="noopener" target="_blank"><i class="fa fa-envelope fa-fw"></i>E-Mail</a>
      </span>
  </div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">Odin</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-chart-area"></i>
    </span>
      <span class="post-meta-item-text">站点总字数：</span>
    <span title="站点总字数">59k</span>
    <span class="post-meta-divider">|</span>
    <span class="post-meta-item-icon">
      <i class="fa fa-coffee"></i>
    </span>
      <span class="post-meta-item-text">站点阅读时长 &asymp;</span>
    <span title="站点阅读时长">54 分钟</span>
</div>

        








      </div>
    </footer>
  </div>

  
  <script size="300" alpha="0.6" zIndex="-1" src="/lib/canvas-ribbon/canvas-ribbon.js"></script>
  <script src="/lib/anime.min.js"></script>
  <script src="//cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js"></script>
  <script src="//cdn.jsdelivr.net/gh/fancyapps/fancybox@3/dist/jquery.fancybox.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>









<script>
document.querySelectorAll('.pdfobject-container').forEach(element => {
  let url = element.dataset.target;
  let pdfOpenParams = {
    navpanes : 0,
    toolbar  : 0,
    statusbar: 0,
    pagemode : 'thumbs',
    view     : 'FitH'
  };
  let pdfOpenFragment = '#' + Object.entries(pdfOpenParams).map(([key, value]) => `${key}=${encodeURIComponent(value)}`).join('&');
  let fullURL = `/lib/pdf/web/viewer?file=${encodeURIComponent(url)}${pdfOpenFragment}`;

  if (NexT.utils.supportsPDFs()) {
    element.innerHTML = `<embed class="pdfobject" src="${url + pdfOpenFragment}" type="application/pdf" style="height: ${element.dataset.height};">`;
  } else {
    element.innerHTML = `<iframe src="${fullURL}" style="height: ${element.dataset.height};" frameborder="0"></iframe>`;
  }
});
</script>




  

  

<script>
NexT.utils.loadComments(document.querySelector('#valine-comments'), () => {
  NexT.utils.getScript('https://cdn.jsdelivr.net/npm/valine@1.4.7/dist/Valine.min.js', () => {
    var GUEST = ['nick', 'mail', 'link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item => {
      return GUEST.includes(item);
    });
    new Valine({
      el         : '#valine-comments',
      verify     : true,
      notify     : false,
      appId      : '9avK28PbOuQyIMAUY8akDkwc-gzGzoHsz',
      appKey     : 'XKxrXsCfnD7W4M7AwOCslEvq',
      placeholder: "说点什么吧",
      avatar     : 'hide',
      meta       : guest,
      pageSize   : '10' || 10,
      visitor    : false,
      lang       : 'zh-cn' || 'zh-cn',
      path       : location.pathname,
      recordIP   : false,
      serverURLs : ''
    });
  }, window.Valine);
});
</script>

<script src="/live2dw/lib/L2Dwidget.min.js?094cbace49a39548bed64abff5988b05"></script><script>L2Dwidget.init({"pluginRootPath":"live2dw/","pluginJsPath":"lib/","pluginModelPath":"assets/","tagMode":false,"debug":false,"log":false,"model":{"jsonPath":"/live2dw/assets/z16.model.json"},"display":{"position":"left","width":200,"height":300},"mobile":{"show":false},"react":{"opacity":0.9}});</script></body>
</html>
